0

I'm building a Java app that connects to a mongodb hosted with mongolab. Mongolab requires authentication. This app runs on people's local machines and connects directly to mongolab.

Do I:

  1. Merely code the authentication like so: db.authenticate("Jimbo", "pa55w0rd".toCharArray()) leaving the password available to anyone with a hex editor - does that even matter?

  2. Use a middle man service that does individual user authentication and then retrieves data from mongolabs?

  3. Have every user of my cool app have a username and password?

  4. Some other cool trick I've missed?

What's the best practice here?

Kevin Pluck
  • 41
  • 6
  • This isn't the most "security concious" answer but a lot of times you can get away with 1 provided your database is local , doesn't allow remote connections (that port is disabled or firewalled), access to the server is protected, you're certain your server code doesn't get sent over the link, and you aren't super paranoid (you can rely on the OS to protect you). Otherwise you will want something more complicated. Also look at http://stackoverflow.com/questions/258299/what-is-the-best-way-to-keep-passwords-configurable-without-having-them-too-eas/421684#421684 – Pace May 03 '13 at 22:09
  • Hmm, your mention of disabled/firewalled ports pushes me to option 2 with an http service and have the server connect to mongolabs or just install mongodb on said server. – Kevin Pluck May 03 '13 at 22:15
  • One thing to keep in mind is that at some point the password will be in plaintext in memory on your server (not the middle man server). Any user with root access to your server can load up a memory inspector of some kind and, with enough determination, obtain your password. – Pace May 03 '13 at 22:16
  • Yes, locks only keep out honest theives. :-) – Kevin Pluck May 03 '13 at 22:38

0 Answers0